@tailor-platform/sdk 2.0.0-next.1 → 2.0.0-next.2

package/dist/cli/index.mjs

@@ -1,14 +1,14 @@
 #!/usr/bin/env node
-import { Et as AuthInvokerSchema, L as CustomDomainStatus, Nt as PATScope, Q as FunctionExecution_Type, _ as userAgent, a as fetchAll, c as fetchPlatformMachineUserToken, d as initOAuth2Client, f as initOperatorClient, l as fetchUserInfo, r as closeConnectionPool, s as fetchPaged } from "../client-z_oHGVNy.mjs";
+import { A as loadAccessToken, At as FunctionExecution_Type, B as fetchAll, C as getDistDir, D as deleteUserTokens, E as loadConfig, F as removeLegacyUserAlias, G as initOAuth2Client, H as fetchPaged, I as resolveTokens, K as initOperatorClient, L as saveUserTokens, M as loadMachineUserName, N as loadWorkspaceId, O as fetchLatestToken, P as readPlatformConfig, R as writePlatformConfig, U as fetchPlatformMachineUserToken, W as fetchUserInfo, _ as composeFunctionTreeshakeOptions, dn as PATScope, g as platformBundleDefinePlugin, ht as CustomDomainStatus, i as resolveInlineSourcemap, in as AuthInvokerSchema, k as findConfigUserKey, l as INVOKER_EXPR, o as WorkflowJobSchema, s as ResolverSchema, t as defineApplication, v as createLogLevelTreeshakeOptions, w as hashContent$1, y as resolveBundleLogLevel, z as closeConnectionPool } from "../application-XuMWK4eq.mjs";
 import { t as assertDefined } from "../assert-DBxo8jPo.mjs";
 import { n as logger, r as styles } from "../logger-CxF-Ex5d.mjs";
-import { $ as listCommand$10, $t as INITIAL_SCHEMA_NUMBER, An as commonArgs, At as startCommand, B as logBetaWarning, C as listCommand$13, Cn as PluginManager, Dt as jobsCommand, E as resumeCommand, En as apiCommand, F as writeDbTypesFile, Fn as pagedLogArgs, Gt as MIGRATION_LABEL_KEY, H as removeCommand$1, Ht as executeScript, I as getConfiguredEditorCommand, In as paginationArgs, Jt as compareSnapshotWithRemote, K as treeCommand, Kt as handleOptionalToRequiredError, L as openInConfiguredEditor, Ln as toPageDirection, Lt as functionExecutionStatusToString, Mn as confirmationArgs, Mt as getCommand$6, N as generateCommand$1, Nn as deploymentArgs, O as listCommand$12, On as assertWritable, P as generateMigrationScript, Pn as isVerbose, Pt as executionsCommand, Rn as workspaceArgs, Rt as formatKeyValueTable, Sn as sdkNameLabelKey, St as triggerCommand, T as healthCommand, Tn as prompt, U as updateCommand$3, Vt as deploy, Xt as protoGqlPermission, Y as getCommand$5, Yt as generateAllTypeManifestsFromSnapshot, Z as updateCommand$2, _n as formatMigrationDiff, an as createSnapshotFromLocalTypes, at as createCommand$3, b as createCommand$4, bn as ensureConfigId, c as listCommand$14, cn as getMigrationFilePath, dn as isValidMigrationNumber, f as restoreCommand, fn as loadDiff, ft as tokenCommand, g as getCommand$7, gt as listCommand$7, hn as parseMigrationNumberArg, ht as generate, i as updateCommand$4, j as truncateCommand, jn as configArg, kn as defineAppCommand, ln as getMigrationFiles, lt as getCommand$3, m as listCommand$15, mn as formatMigrationNumber, nn as assertValidMigrationFiles, o as removeCommand, on as getLatestMigrationNumber, pn as reconstructSnapshotFromMigrations, pt as listCommand$8, q as listCommand$11, qt as parseMigrationLabelNumber, r as queryCommand, rn as compareLocalTypesWithSnapshot, rt as deleteCommand$3, st as listCommand$9, t as isNativeTypeScriptRuntime, tt as getCommand$4, u as inviteCommand, v as deleteCommand$4, vn as hasChanges, vt as getCommand$2, wn as generateUserTypes, wt as listCommand$6, xn as resourceTrn, xt as webhookCommand, yn as getNamespacesWithMigrations, z as showCommand, zt as getCommand$1 } from "../runtime-n9NCkjee.mjs";
-import { A as loadAccessToken, C as getDistDir, D as deleteUserTokens, E as loadConfig, F as removeLegacyUserAlias, I as resolveTokens, L as saveUserTokens, M as loadMachineUserName, N as loadWorkspaceId, O as fetchLatestToken, P as readPlatformConfig, R as writePlatformConfig, _ as composeFunctionTreeshakeOptions, g as platformBundleDefinePlugin, i as resolveInlineSourcemap, k as findConfigUserKey, l as INVOKER_EXPR, o as WorkflowJobSchema, s as ResolverSchema, t as defineApplication, v as createLogLevelTreeshakeOptions, w as hashContent$1, y as resolveBundleLogLevel } from "../application-DqS1yBg3.mjs";
-import { n as ExecutorSchema } from "../service-CCL8ruDf.mjs";
+import { $ as updateCommand$2, $t as protoGqlPermission, A as listCommand$12, At as jobsCommand, Bn as toPageDirection, Bt as functionExecutionStatusToString, C as listCommand$13, Cn as ensureConfigId, Ct as webhookCommand, Dn as generateUserTypes, E as waitCommand, En as PluginManager, Et as listCommand$6, F as generateCommand$1, Fn as confirmationArgs, Ft as getCommand$6, G as updateCommand$3, Gt as executeScript, H as logBetaWarning, Ht as getCommand$1, I as generateMigrationScript, In as deploymentArgs, J as treeCommand, Jt as MIGRATION_LABEL_KEY, L as writeDbTypesFile, Ln as isVerbose, Lt as executionsCommand, Mn as defineAppCommand, N as truncateCommand, Nn as commonArgs, Nt as startCommand, O as resumeCommand, On as prompt, Pn as configArg, Qt as generateAllTypeManifestsFromSnapshot, R as getConfiguredEditorCommand, Rn as pagedLogArgs, Sn as getNamespacesWithMigrations, T as healthCommand, Tn as sdkNameLabelKey, V as showCommand, Vn as workspaceArgs, Vt as formatKeyValueTable, W as removeCommand$1, Wt as deploy, Xt as parseMigrationLabelNumber, Y as listCommand$11, Yt as handleOptionalToRequiredError, Z as getCommand$5, Zt as compareSnapshotWithRemote, _n as formatMigrationNumber, _t as generate, an as assertValidMigrationFiles, at as deleteCommand$3, b as createCommand$4, bn as formatMigrationDiff, bt as getCommand$2, c as listCommand$14, cn as createSnapshotFromLocalTypes, dn as getMigrationFilePath, dt as getCommand$3, f as restoreCommand, fn as getMigrationFiles, g as getCommand$7, gn as reconstructSnapshotFromMigrations, hn as loadDiff, ht as listCommand$8, i as updateCommand$4, jn as assertWritable, kn as apiCommand, ln as getLatestMigrationNumber, lt as listCommand$9, m as listCommand$15, mn as isValidMigrationNumber, mt as tokenCommand, nn as INITIAL_SCHEMA_NUMBER, o as removeCommand, on as compareLocalTypesWithSnapshot, r as queryCommand, rt as getCommand$4, st as createCommand$3, t as isNativeTypeScriptRuntime, tt as listCommand$10, u as inviteCommand, v as deleteCommand$4, vn as parseMigrationNumberArg, vt as listCommand$7, wn as resourceTrn, wt as triggerCommand, xn as hasChanges, z as openInConfiguredEditor, zn as paginationArgs } from "../runtime-CY4JvrDj.mjs";
+import { n as ExecutorSchema } from "../service-DjyqbCaJ.mjs";
 import { t as multiline } from "../multiline-sfHpTZZK.mjs";
 import { t as readPackageJson } from "../package-json-8b0O9TlX.mjs";
+import { i as userAgent } from "../secret-file-VSVGy1V0.mjs";
 import { n as isCLIError } from "../errors-Dtf2WPaW.mjs";
-import { a as JSON_FOOTER_MARKER, i as CRASH_LOG_EXTENSION, o as parseCrashReportConfig, r as sendCrashReport, t as initCrashReporting } from "../crashreport-BsjAkFWw.mjs";
+import { a as JSON_FOOTER_MARKER, i as CRASH_LOG_EXTENSION, o as parseCrashReportConfig, r as sendCrashReport, t as initCrashReporting } from "../crashreport-DFq-vsU0.mjs";
 import { t as isPluginGeneratedType } from "../type-source-DH_LH20p.mjs";
 import { arg, defineCommand, runCommand, runMain } from "politty";
 import { withCompletionCommand } from "politty/completion";
@@ -21,6 +21,7 @@ import { dirname, resolve } from "pathe";
 import { fileURLToPath, pathToFileURL } from "node:url";
 import { generateCodeVerifier } from "@badgateway/oauth2-client";
 import { Code, ConnectError } from "@connectrpc/connect";
+import pLimit from "p-limit";
 import { resolvePackageJSON, resolveTSConfig } from "pkg-types";
 import * as crypto from "node:crypto";
 import { createHash } from "node:crypto";
@@ -29,13 +30,12 @@ import open from "open";
 import * as rolldown from "rolldown";
 import * as fsPromises from "node:fs/promises";
 import { glob } from "node:fs/promises";
-import pLimit from "p-limit";
+import { setTimeout as setTimeout$1 } from "node:timers/promises";
 import { TraceMap, generatedPositionFor, originalPositionFor } from "@jridgewell/trace-mapping";
 import { spawn, spawnSync } from "node:child_process";
 import { watch } from "chokidar";
 import * as fs from "fs";
 import { lookup } from "mime-types";
-import { setTimeout as setTimeout$1 } from "node:timers/promises";
 
 //#region src/cli/commands/authconnection/args.ts
 /**
@@ -1143,21 +1143,21 @@ function generateEntry(detected, sourceFile, env, machineUser, workspaceId) {
         export { _fn as main };
       `;
 		case "resolver": {
-			const userExpr = buildMachineUserExpr(machineUser, workspaceId);
+			const principalExpr = buildMachinePrincipalExpr(machineUser, workspaceId);
 			return multiline`
         import _internalResolver from "${absoluteSourcePath}";
         import { t } from "@tailor-platform/sdk";
 
         const _env = ${JSON.stringify(env)};
-        const _user = ${userExpr};
+        const _caller = ${principalExpr};
 
         const $tailor_resolver_body = async (context) => {
-          const _invoker = ${INVOKER_EXPR};
+          const _invoker = ${INVOKER_EXPR} ?? _caller;
           if (_internalResolver.input) {
             const result = t.object(_internalResolver.input).parse({
               value: context,
               data: context,
-              user: _user,
+              invoker: _invoker,
             });
 
             if (result.issues) {
@@ -1168,7 +1168,7 @@ function generateEntry(detected, sourceFile, env, machineUser, workspaceId) {
             }
           }
 
-          const enrichedContext = { input: context, env: _env, user: _user, invoker: _invoker };
+          const enrichedContext = { input: context, env: _env, caller: _caller, invoker: _invoker };
           return _internalResolver.body(enrichedContext);
         };
 
@@ -1176,15 +1176,15 @@ function generateEntry(detected, sourceFile, env, machineUser, workspaceId) {
       `;
 		}
 		case "executor": {
-			const actorExpr = buildMachineActorExpr(machineUser, workspaceId);
+			const principalExpr = buildMachinePrincipalExpr(machineUser, workspaceId);
 			return multiline`
         import _internalExecutor from "${absoluteSourcePath}";
 
         const _env = ${JSON.stringify(env)};
-        const _actor = ${actorExpr};
+        const _actor = ${principalExpr};
 
         const __executor_function = async (args) => {
-          const _invoker = ${INVOKER_EXPR};
+          const _invoker = ${INVOKER_EXPR} ?? _actor;
           return _internalExecutor.operation.body({ ...args, env: _env, actor: _actor, invoker: _invoker });
         };
 
@@ -1193,13 +1193,15 @@ function generateEntry(detected, sourceFile, env, machineUser, workspaceId) {
 		}
 		case "workflow-job": {
 			const exportName = assertDefined(detected.exportName, "workflow job export name missing");
+			const principalExpr = buildMachinePrincipalExpr(machineUser, workspaceId);
 			return multiline`
         import { ${exportName} } from "${absoluteSourcePath}";
 
         const env = ${JSON.stringify(env)};
+        const fallbackInvoker = ${principalExpr};
 
         export async function main(input) {
-          const invoker = ${INVOKER_EXPR};
+          const invoker = ${INVOKER_EXPR} ?? fallbackInvoker;
           return await ${exportName}.body(input, { env, invoker });
         }
       `;
@@ -1207,35 +1209,20 @@ function generateEntry(detected, sourceFile, env, machineUser, workspaceId) {
 	}
 }
 /**
-* Build a JSON expression for a machine user TailorUser object.
+* Build a JSON expression for a machine user TailorPrincipal object.
 * @param machineUser - Resolved machine user info
 * @param workspaceId - Workspace ID
 * @returns JSON string for the user expression
 */
-function buildMachineUserExpr(machineUser, workspaceId) {
+function buildMachinePrincipalExpr(machineUser, workspaceId) {
 	return JSON.stringify({
 		id: machineUser.id,
 		type: "machine_user",
 		workspaceId,
-		attributes: machineUser.attributes,
+		attributes: machineUser.attributes ?? {},
 		attributeList: machineUser.attributeList
 	});
 }
-/**
-* Build a JSON expression for a machine user TailorActor object.
-* @param machineUser - Resolved machine user info
-* @param workspaceId - Workspace ID
-* @returns JSON string for the actor expression
-*/
-function buildMachineActorExpr(machineUser, workspaceId) {
-	return JSON.stringify({
-		workspaceId,
-		userId: machineUser.id,
-		attributes: machineUser.attributes,
-		attributeList: machineUser.attributeList,
-		userType: "USER_TYPE_MACHINE_USER"
-	});
-}
 
 //#endregion
 //#region src/cli/commands/function/detect.ts
@@ -1258,7 +1245,7 @@ async function detectFunctionType(options) {
 		const rawInput = module.default.input;
 		let inputSchema;
 		if (rawInput) {
-			const { t } = await import("../types-ClhIrW_C.mjs");
+			const { t } = await import("../types-74etvaxy.mjs");
 			inputSchema = t.object(rawInput);
 		}
 		return {
@@ -1444,11 +1431,9 @@ When a \`.js\` file is provided, detection and bundling are skipped and the file
 			functionType = detected.type;
 			functionName = detected.name;
 			logger.info(`Detected: ${styles.bold(detected.type)} ${styles.info(`"${detected.name}"`)}`);
-			if (detected.type === "resolver" && args.arg) {
-				if (!detected.hasInput) {
-					logger.warn("--arg is ignored because this resolver has no input schema. Define \"input\" in your resolver to use --arg.");
-					args.arg = void 0;
-				} else if (detected.inputSchema) JSON.parse(args.arg);
+			if (detected.type === "resolver" && args.arg && !detected.hasInput) {
+				logger.warn("--arg is ignored because this resolver has no input schema. Define \"input\" in your resolver to use --arg.");
+				args.arg = void 0;
 			}
 			logger.info("Bundling...");
 			({bundledCode, scriptName} = await bundleForTestRun({
@@ -1462,18 +1447,24 @@ When a \`.js\` file is provided, detection and bundling are skipped and the file
 			}));
 			logger.info(`Bundled as ${styles.bold(scriptName)}`);
 		}
-		const authInvoker = create(AuthInvokerSchema, {
+		const invoker = create(AuthInvokerSchema, {
 			namespace: authNamespace,
 			machineUserName: machineUser.name
 		});
 		logger.info(`Executing on workspace ${styles.dim(workspaceId)}...`);
+		let parsedArg;
+		if (args.arg !== void 0) try {
+			parsedArg = JSON.parse(args.arg);
+		} catch (error) {
+			throw new Error(`Invalid --arg JSON: ${error instanceof Error ? error.message : error}`, { cause: error });
+		}
 		const result = await executeScript({
 			client,
 			workspaceId,
 			name: scriptName,
 			code: bundledCode,
-			arg: args.arg,
-			invoker: authInvoker
+			arg: parsedArg,
+			invoker
 		});
 		if (jsonOutput) logger.out({
 			success: result.success,
@@ -2551,7 +2542,7 @@ const secretCommand = defineCommand({
 });
 
 //#endregion
-//#region src/cli/commands/setup/github/git.ts
+//#region src/cli/commands/setup/git.ts
 const defaultGitRunner = (args, cwd) => {
 	const result = spawnSync("git", args, {
 		cwd,
@@ -2582,7 +2573,7 @@ function detectDefaultBranch(cwd, run = defaultGitRunner) {
 }
 
 //#endregion
-//#region src/cli/commands/setup/github/lock.ts
+//#region src/cli/commands/setup/lock.ts
 /** Current lock schema version. Bumped only on breaking lock-format changes. */
 const LOCK_VERSION = 1;
 /** Lock file path, relative to the repository root. */
@@ -2648,66 +2639,24 @@ function findTarget(lock, kind, workspaceName) {
 }
 
 //#endregion
-//#region src/cli/commands/setup/github/branch.workflow.yml
-var branch_workflow_default = "# __HEADER__\nname: Tailor (__WORKSPACE_NAME__)\n\non:\n  # __PULL_REQUEST_START__\n  pull_request:\n    branches: [\"__BRANCH__\"]\n    # __PATHS__\n  # __PULL_REQUEST_END__\n  push:\n    branches: [\"__BRANCH__\"]\n    # __PATHS__\n  workflow_dispatch:\n    # __DISPATCH_INPUTS_START__\n    inputs:\n      dry-run:\n        description: Preview changes without deploying\n        type: boolean\n        default: false\n    # __DISPATCH_INPUTS_END__\n\npermissions:\n  contents: read\n\njobs:\n  # __PLAN_JOB_START__\n  tailor-plan:\n    if: >-\n      github.event_name == 'pull_request' ||\n      (github.event_name == 'workflow_dispatch' && inputs['dry-run'])\n    runs-on: ubuntu-latest\n    timeout-minutes: 30\n    environment: __ENVIRONMENT__\n    permissions:\n      contents: read\n      pull-requests: write\n    concurrency:\n      group: tailor-plan-__WORKSPACE_NAME__-${{ github.event.pull_request.number || github.run_id }}\n      cancel-in-progress: true\n    steps:\n      - id: tailor-checkout\n        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3\n        with:\n          fetch-depth: 0\n      - id: tailor-merge-base\n        if: github.event_name == 'pull_request' && !github.event.pull_request.head.repo.fork\n        env:\n          BASE_REF: ${{ github.base_ref }}\n        run: |\n          git config user.name \"github-actions[bot]\"\n          git config user.email \"41898282+github-actions[bot]@users.noreply.github.com\"\n          git fetch origin \"$BASE_REF:refs/remotes/origin/$BASE_REF\"\n          git merge --no-edit \"origin/$BASE_REF\"\n      # __SETUP_STEPS__\n      - id: tailor-generate\n        # __WORKING_DIRECTORY__\n        run: __PM_EXEC__ tailor-sdk generate\n      - id: tailor-generate-check\n        run: |\n          git add -A\n          if ! git diff --cached --quiet; then\n            git --no-pager diff --cached --stat\n            echo \"::error::Generated files are out of date. Run 'tailor-sdk generate' locally and commit the result.\"\n            exit 1\n          fi\n      - id: tailor-mask-credentials\n        # Fork PRs cannot read secrets; the checks above still run for them.\n        if: >-\n          (github.event_name != 'pull_request' || !github.event.pull_request.head.repo.fork) &&\n          vars.TAILOR_PLATFORM_WORKSPACE_ID != ''\n        run: |\n          echo \"::add-mask::$CLIENT_ID\"\n          echo \"::add-mask::$CLIENT_SECRET\"\n        env:\n          CLIENT_ID: ${{ secrets.TAILOR_PLATFORM_MACHINE_USER_CLIENT_ID }}\n          CLIENT_SECRET: ${{ secrets.TAILOR_PLATFORM_MACHINE_USER_CLIENT_SECRET }}\n      - id: tailor-login\n        if: >-\n          (github.event_name != 'pull_request' || !github.event.pull_request.head.repo.fork) &&\n          vars.TAILOR_PLATFORM_WORKSPACE_ID != ''\n        # __WORKING_DIRECTORY__\n        run: __PM_EXEC__ tailor-sdk login --machine-user\n        env:\n          TAILOR_PLATFORM_MACHINE_USER_CLIENT_ID: ${{ secrets.TAILOR_PLATFORM_MACHINE_USER_CLIENT_ID }}\n          TAILOR_PLATFORM_MACHINE_USER_CLIENT_SECRET: ${{ secrets.TAILOR_PLATFORM_MACHINE_USER_CLIENT_SECRET }}\n      - id: tailor-plan\n        if: >-\n          (github.event_name != 'pull_request' || !github.event.pull_request.head.repo.fork) &&\n          vars.TAILOR_PLATFORM_WORKSPACE_ID != ''\n        # __WORKING_DIRECTORY__\n        run: |\n          if [ -z \"$TAILOR_PLATFORM_WORKSPACE_ID\" ]; then\n            echo \"exit-code=\" >> \"$GITHUB_OUTPUT\"\n            exit 0\n          fi\n\n          set +e\n          OUTPUT=$(__PM_EXEC__ tailor-sdk deploy --dry-run --yes 2>&1)\n          EXIT_CODE=$?\n          set -e\n\n          MAX_OUTPUT=60000\n          if [ \"${#OUTPUT}\" -gt \"$MAX_OUTPUT\" ]; then\n            LOG_STOP_TOKEN=$(dd if=/dev/urandom bs=15 count=1 status=none | base64)\n            echo \"::group::Full Tailor Platform plan output\"\n            echo \"::stop-commands::$LOG_STOP_TOKEN\"\n            printf '%s\\n' \"$OUTPUT\"\n            echo \"::$LOG_STOP_TOKEN::\"\n            echo \"::endgroup::\"\n            OUTPUT_TAIL=\"${OUTPUT: -$MAX_OUTPUT}\"\n            OUTPUT=$(printf '%s\\n\\n%s' \"[output truncated to the last $MAX_OUTPUT characters - see the workflow logs for the full plan]\" \"$OUTPUT_TAIL\")\n          fi\n\n          EOF=$(dd if=/dev/urandom bs=15 count=1 status=none | base64)\n          {\n            echo \"exit-code=$EXIT_CODE\"\n            echo \"output<<$EOF\"\n            echo \"$OUTPUT\"\n            echo \"$EOF\"\n          } >> \"$GITHUB_OUTPUT\"\n        env:\n          TAILOR_PLATFORM_WORKSPACE_ID: ${{ vars.TAILOR_PLATFORM_WORKSPACE_ID }}\n      - id: tailor-plan-summary\n        if: github.event_name != 'pull_request' || !github.event.pull_request.head.repo.fork\n        run: |\n          if [ -n \"$LABEL\" ]; then\n            KEY=\"$LABEL\"\n          elif [ -n \"$WORKSPACE_ID\" ]; then\n            KEY=\"$WORKSPACE_ID\"\n          else\n            KEY=\"workspace\"\n          fi\n\n          if [ -z \"$WORKSPACE_ID\" ]; then\n            {\n              echo \"## Tailor Platform Plan ($KEY)\"\n              echo \"\"\n              echo \"Workspace is not provisioned yet. Set TAILOR_PLATFORM_WORKSPACE_ID after provisioning the workspace.\"\n            } >> \"$GITHUB_STEP_SUMMARY\"\n            exit 0\n          fi\n\n          if [ \"$DRY_RUN_EXIT_CODE\" = \"0\" ]; then\n            STATUS=\"PASS\"\n          else\n            STATUS=\"FAIL\"\n          fi\n\n          {\n            echo \"## $STATUS Tailor Platform Plan ($KEY)\"\n            echo \"\"\n            echo \"<details>\"\n            echo \"<summary>Plan output (exit code: $DRY_RUN_EXIT_CODE)</summary>\"\n            echo \"\"\n            echo '```'\n            echo \"$DRY_RUN_OUTPUT\"\n            echo '```'\n            echo \"\"\n            echo \"</details>\"\n          } >> \"$GITHUB_STEP_SUMMARY\"\n        env:\n          WORKSPACE_ID: ${{ vars.TAILOR_PLATFORM_WORKSPACE_ID }}\n          LABEL: __WORKSPACE_NAME__\n          DRY_RUN_OUTPUT: ${{ steps.tailor-plan.outputs.output }}\n          DRY_RUN_EXIT_CODE: ${{ steps.tailor-plan.outputs.exit-code }}\n      - id: tailor-plan-comment\n        if: github.event_name == 'pull_request' && !github.event.pull_request.head.repo.fork\n        uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9\n        env:\n          WORKSPACE_ID: ${{ vars.TAILOR_PLATFORM_WORKSPACE_ID }}\n          LABEL: __WORKSPACE_NAME__\n          DRY_RUN_OUTPUT: ${{ steps.tailor-plan.outputs.output }}\n          DRY_RUN_EXIT_CODE: ${{ steps.tailor-plan.outputs.exit-code }}\n        with:\n          github-token: ${{ secrets.GITHUB_TOKEN }}\n          script: |\n            const workspaceId = process.env.WORKSPACE_ID;\n            const label = process.env.LABEL;\n            const key = label || workspaceId || 'workspace';\n            const marker = `<!-- tailor-plan: ${key} -->`;\n\n            let body;\n            if (!workspaceId) {\n              body = [\n                marker,\n                `## Tailor Platform Plan (${key})`,\n                '',\n                'Workspace is not provisioned yet. Set TAILOR_PLATFORM_WORKSPACE_ID after provisioning the workspace.',\n                '',\n              ].join('\\n');\n            } else {\n              const exitCode = process.env.DRY_RUN_EXIT_CODE;\n              let output = process.env.DRY_RUN_OUTPUT;\n              const MAX_OUTPUT = 60000;\n              if (output.length > MAX_OUTPUT) {\n                const note = `[output truncated to the last ${MAX_OUTPUT} characters - see the job's step summary for the full plan]\\n\\n`;\n                output = note + output.slice(output.length - MAX_OUTPUT);\n              }\n              const status = exitCode === '0' ? 'PASS' : 'FAIL';\n              body = [\n                marker,\n                `## ${status} Tailor Platform Plan (${key})`,\n                '',\n                '<details>',\n                `<summary>Plan output (exit code: ${exitCode})</summary>`,\n                '',\n                '```',\n                output,\n                '```',\n                '',\n                '</details>',\n                '',\n              ].join('\\n');\n            }\n\n            const comments = await github.paginate(github.rest.issues.listComments, {\n              owner: context.repo.owner,\n              repo: context.repo.repo,\n              issue_number: context.issue.number,\n              per_page: 100,\n            });\n            const existingComment = comments.find(comment =>\n              comment.body?.includes(marker) &&\n              comment.user?.type === 'Bot' &&\n              comment.user?.login === 'github-actions[bot]'\n            );\n            if (existingComment) {\n              await github.rest.issues.updateComment({\n                owner: context.repo.owner,\n                repo: context.repo.repo,\n                comment_id: existingComment.id,\n                body,\n              });\n            } else {\n              await github.rest.issues.createComment({\n                owner: context.repo.owner,\n                repo: context.repo.repo,\n                issue_number: context.issue.number,\n                body,\n              });\n            }\n      - id: tailor-plan-fail\n        if: >-\n          (github.event_name != 'pull_request' || !github.event.pull_request.head.repo.fork) &&\n          vars.TAILOR_PLATFORM_WORKSPACE_ID != ''\n        run: |\n          if [ \"$DRY_RUN_EXIT_CODE\" != \"0\" ]; then\n            echo \"::error::Plan dry-run failed with exit code $DRY_RUN_EXIT_CODE\"\n            exit \"$DRY_RUN_EXIT_CODE\"\n          fi\n        env:\n          DRY_RUN_EXIT_CODE: ${{ steps.tailor-plan.outputs.exit-code }}\n  # __PLAN_JOB_END__\n  tailor-deploy:\n    # __DEPLOY_IF__\n    runs-on: ubuntu-latest\n    timeout-minutes: 30\n    permissions:\n      contents: read\n    environment: __ENVIRONMENT__\n    concurrency:\n      group: tailor-deploy-__WORKSPACE_NAME__\n      cancel-in-progress: false\n    steps:\n      - id: tailor-checkout\n        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3\n      # __SETUP_STEPS__\n      - id: tailor-validate-workspace\n        env:\n          WORKSPACE_ID: ${{ vars.TAILOR_PLATFORM_WORKSPACE_ID }}\n        run: |\n          if [ -z \"$WORKSPACE_ID\" ]; then\n            echo \"::error::Workspace is not provisioned: TAILOR_PLATFORM_WORKSPACE_ID is empty. Provision the workspace and set the variable.\"\n            exit 1\n          fi\n      - id: tailor-mask-credentials\n        run: |\n          echo \"::add-mask::$CLIENT_ID\"\n          echo \"::add-mask::$CLIENT_SECRET\"\n        env:\n          CLIENT_ID: ${{ secrets.TAILOR_PLATFORM_MACHINE_USER_CLIENT_ID }}\n          CLIENT_SECRET: ${{ secrets.TAILOR_PLATFORM_MACHINE_USER_CLIENT_SECRET }}\n      - id: tailor-login\n        # __WORKING_DIRECTORY__\n        run: __PM_EXEC__ tailor-sdk login --machine-user\n        env:\n          TAILOR_PLATFORM_MACHINE_USER_CLIENT_ID: ${{ secrets.TAILOR_PLATFORM_MACHINE_USER_CLIENT_ID }}\n          TAILOR_PLATFORM_MACHINE_USER_CLIENT_SECRET: ${{ secrets.TAILOR_PLATFORM_MACHINE_USER_CLIENT_SECRET }}\n      - id: tailor-generate\n        # __WORKING_DIRECTORY__\n        run: __PM_EXEC__ tailor-sdk generate\n        env:\n          TAILOR_PLATFORM_WORKSPACE_ID: ${{ vars.TAILOR_PLATFORM_WORKSPACE_ID }}\n      - id: tailor-deploy\n        # __WORKING_DIRECTORY__\n        run: __PM_EXEC__ tailor-sdk deploy --yes\n        env:\n          TAILOR_PLATFORM_WORKSPACE_ID: ${{ vars.TAILOR_PLATFORM_WORKSPACE_ID }}\n";
-
-//#endregion
-//#region src/cli/commands/setup/github/setup-bun.yml
-var setup_bun_default = "- id: tailor-setup-bun\n  uses: oven-sh/setup-bun@0c5077e51419868618aeaa5fe8019c62421857d6 # v2.2.0\n- id: tailor-install\n  run: bun install --frozen-lockfile\n";
-
-//#endregion
-//#region src/cli/commands/setup/github/setup-npm.yml
-var setup_npm_default = "- id: tailor-setup-node\n  uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0\n  with:\n    node-version-file: package.json\n    cache: npm\n- id: tailor-install\n  run: npm ci\n";
+//#region src/cli/commands/setup/branch.workflow.yml
+var branch_workflow_default = "# __HEADER__\nname: Tailor (__WORKSPACE_NAME__)\n\non:\n  # __PULL_REQUEST_START__\n  pull_request:\n    branches: [\"__BRANCH__\"]\n    # __PATHS__\n  # __PULL_REQUEST_END__\n  push:\n    branches: [\"__BRANCH__\"]\n    # __PATHS__\n  workflow_dispatch:\n    # __DISPATCH_INPUTS_START__\n    inputs:\n      dry-run:\n        description: Preview changes without deploying\n        type: boolean\n        default: false\n    # __DISPATCH_INPUTS_END__\n\npermissions:\n  contents: read\n\njobs:\n  # __PLAN_JOB_START__\n  tailor-plan:\n    if: >-\n      github.event_name == 'pull_request' ||\n      (github.event_name == 'workflow_dispatch' && inputs['dry-run'])\n    runs-on: ubuntu-latest\n    timeout-minutes: 30\n    environment: __ENVIRONMENT__\n    permissions:\n      contents: read\n      pull-requests: write\n    concurrency:\n      group: tailor-plan-__WORKSPACE_NAME__-${{ github.event.pull_request.number || github.run_id }}\n      cancel-in-progress: true\n    steps:\n      - id: tailor-checkout\n        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3\n      - id: tailor-setup\n        uses: tailor-platform/actions/setup@7817f37adf2891fbb2ebbe0a3b222a5fa2ed0c1f # v1.3.0\n        with:\n          package-manager: __PACKAGE_MANAGER__\n      - id: tailor-generate-check\n        uses: tailor-platform/actions/generate-check@7817f37adf2891fbb2ebbe0a3b222a5fa2ed0c1f # v1.3.0\n        with:\n          package-manager: __PACKAGE_MANAGER__\n          # __WORKING_DIRECTORY__\n      - id: tailor-plan\n        # Fork PRs cannot read secrets; the checks above still run for them.\n        if: github.event_name != 'pull_request' || !github.event.pull_request.head.repo.fork\n        uses: tailor-platform/actions/plan@7817f37adf2891fbb2ebbe0a3b222a5fa2ed0c1f # v1.3.0\n        with:\n          workspace-id: ${{ vars.TAILOR_PLATFORM_WORKSPACE_ID }}\n          package-manager: __PACKAGE_MANAGER__\n          label: __WORKSPACE_NAME__\n          # __WORKING_DIRECTORY__\n          platform-client-id: ${{ secrets.TAILOR_PLATFORM_MACHINE_USER_CLIENT_ID }}\n          platform-client-secret: ${{ secrets.TAILOR_PLATFORM_MACHINE_USER_CLIENT_SECRET }}\n          github-token: ${{ secrets.GITHUB_TOKEN }}\n  # __PLAN_JOB_END__\n  tailor-deploy:\n    # __DEPLOY_IF__\n    runs-on: ubuntu-latest\n    timeout-minutes: 30\n    permissions:\n      contents: read\n    environment: __ENVIRONMENT__\n    concurrency:\n      group: tailor-deploy-__WORKSPACE_NAME__\n      cancel-in-progress: false\n    steps:\n      - id: tailor-checkout\n        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3\n      - id: tailor-setup\n        uses: tailor-platform/actions/setup@7817f37adf2891fbb2ebbe0a3b222a5fa2ed0c1f # v1.3.0\n        with:\n          package-manager: __PACKAGE_MANAGER__\n      - id: tailor-apply\n        uses: tailor-platform/actions/deploy@7817f37adf2891fbb2ebbe0a3b222a5fa2ed0c1f # v1.3.0\n        with:\n          workspace-id: ${{ vars.TAILOR_PLATFORM_WORKSPACE_ID }}\n          package-manager: __PACKAGE_MANAGER__\n          # __WORKING_DIRECTORY__\n          platform-client-id: ${{ secrets.TAILOR_PLATFORM_MACHINE_USER_CLIENT_ID }}\n          platform-client-secret: ${{ secrets.TAILOR_PLATFORM_MACHINE_USER_CLIENT_SECRET }}\n";
 
 //#endregion
-//#region src/cli/commands/setup/github/setup-pnpm.yml
-var setup_pnpm_default = "- id: tailor-setup-pnpm\n  uses: pnpm/action-setup@0ebf47130e4866e96fce0953f49152a61190b271 # v6.0.9\n- id: tailor-setup-node\n  uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0\n  with:\n    node-version-file: package.json\n    cache: pnpm\n- id: tailor-install\n  run: pnpm install --frozen-lockfile\n";
+//#region src/cli/commands/setup/tag.workflow.yml
+var tag_workflow_default = "# __HEADER__\nname: Tailor (__WORKSPACE_NAME__)\n\non:\n  push:\n    tags: [\"__TAG_PATTERN__\"]\n  workflow_dispatch:\n    inputs:\n      dry-run:\n        description: Preview changes without deploying\n        type: boolean\n        default: false\n\npermissions:\n  contents: read\n\njobs:\n  # __TAG_GUARD_JOB_START__\n  tailor-tag-guard:\n    runs-on: ubuntu-latest\n    timeout-minutes: 10\n    permissions:\n      contents: read\n    outputs:\n      on-branch: ${{ steps.tailor-tag-guard.outputs.on-branch }}\n    steps:\n      - id: tailor-checkout\n        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3\n        with:\n          fetch-depth: 0\n      - id: tailor-tag-guard\n        uses: tailor-platform/actions/tag-guard@7817f37adf2891fbb2ebbe0a3b222a5fa2ed0c1f # v1.3.0\n        with:\n          target-branch: \"__BRANCH__\"\n  # __TAG_GUARD_JOB_END__\n  tailor-plan:\n    # __PLAN_NEEDS__\n    # __PLAN_IF__\n    runs-on: ubuntu-latest\n    timeout-minutes: 30\n    environment: __ENVIRONMENT__\n    permissions:\n      contents: read\n    steps:\n      - id: tailor-checkout\n        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3\n      - id: tailor-setup\n        uses: tailor-platform/actions/setup@7817f37adf2891fbb2ebbe0a3b222a5fa2ed0c1f # v1.3.0\n        with:\n          package-manager: __PACKAGE_MANAGER__\n      - id: tailor-generate-check\n        uses: tailor-platform/actions/generate-check@7817f37adf2891fbb2ebbe0a3b222a5fa2ed0c1f # v1.3.0\n        with:\n          package-manager: __PACKAGE_MANAGER__\n          # __WORKING_DIRECTORY__\n      - id: tailor-plan\n        uses: tailor-platform/actions/plan@7817f37adf2891fbb2ebbe0a3b222a5fa2ed0c1f # v1.3.0\n        with:\n          workspace-id: ${{ vars.TAILOR_PLATFORM_WORKSPACE_ID }}\n          package-manager: __PACKAGE_MANAGER__\n          label: __WORKSPACE_NAME__\n          # __WORKING_DIRECTORY__\n          platform-client-id: ${{ secrets.TAILOR_PLATFORM_MACHINE_USER_CLIENT_ID }}\n          platform-client-secret: ${{ secrets.TAILOR_PLATFORM_MACHINE_USER_CLIENT_SECRET }}\n\n  tailor-deploy:\n    needs: tailor-plan\n    if: ${{ !(github.event_name == 'workflow_dispatch' && inputs['dry-run']) }}\n    environment: __ENVIRONMENT__\n    runs-on: ubuntu-latest\n    timeout-minutes: 30\n    permissions:\n      contents: read\n    concurrency:\n      group: tailor-deploy-__WORKSPACE_NAME__\n      cancel-in-progress: false\n    steps:\n      - id: tailor-checkout\n        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3\n      - id: tailor-setup\n        uses: tailor-platform/actions/setup@7817f37adf2891fbb2ebbe0a3b222a5fa2ed0c1f # v1.3.0\n        with:\n          package-manager: __PACKAGE_MANAGER__\n      - id: tailor-apply\n        uses: tailor-platform/actions/deploy@7817f37adf2891fbb2ebbe0a3b222a5fa2ed0c1f # v1.3.0\n        with:\n          workspace-id: ${{ vars.TAILOR_PLATFORM_WORKSPACE_ID }}\n          package-manager: __PACKAGE_MANAGER__\n          # __WORKING_DIRECTORY__\n          platform-client-id: ${{ secrets.TAILOR_PLATFORM_MACHINE_USER_CLIENT_ID }}\n          platform-client-secret: ${{ secrets.TAILOR_PLATFORM_MACHINE_USER_CLIENT_SECRET }}\n";
 
 //#endregion
-//#region src/cli/commands/setup/github/setup-yarn.yml
-var setup_yarn_default = "- id: tailor-setup-node\n  uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0\n  with:\n    node-version-file: package.json\n    cache: yarn\n- id: tailor-install\n  run: yarn install --frozen-lockfile\n";
-
-//#endregion
-//#region src/cli/commands/setup/github/tag.workflow.yml
-var tag_workflow_default = "# __HEADER__\nname: Tailor (__WORKSPACE_NAME__)\n\non:\n  push:\n    tags: [\"__TAG_PATTERN__\"]\n  workflow_dispatch:\n    inputs:\n      dry-run:\n        description: Preview changes without deploying\n        type: boolean\n        default: false\n\npermissions:\n  contents: read\n\njobs:\n  # __TAG_GUARD_JOB_START__\n  tailor-tag-guard:\n    runs-on: ubuntu-latest\n    timeout-minutes: 10\n    permissions:\n      contents: read\n    outputs:\n      on-branch: ${{ steps.tailor-tag-guard.outputs.on-branch }}\n    steps:\n      - id: tailor-checkout\n        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3\n        with:\n          fetch-depth: 0\n      - id: tailor-tag-guard\n        env:\n          TARGET_BRANCH: \"__BRANCH__\"\n        run: |\n          git fetch origin \"$TARGET_BRANCH\"\n          if git merge-base --is-ancestor \"$GITHUB_SHA\" \"origin/$TARGET_BRANCH\"; then\n            echo \"on-branch=true\" >> \"$GITHUB_OUTPUT\"\n          else\n            # A tag outside the target branch is not an error — just skip.\n            echo \"on-branch=false\" >> \"$GITHUB_OUTPUT\"\n            echo \"::notice::Tag $GITHUB_REF_NAME is not reachable from $TARGET_BRANCH; skipping deploy.\"\n          fi\n  # __TAG_GUARD_JOB_END__\n  tailor-plan:\n    # __PLAN_NEEDS__\n    # __PLAN_IF__\n    runs-on: ubuntu-latest\n    timeout-minutes: 30\n    environment: __ENVIRONMENT__\n    permissions:\n      contents: read\n    steps:\n      - id: tailor-checkout\n        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3\n      # __SETUP_STEPS__\n      - id: tailor-generate\n        # __WORKING_DIRECTORY__\n        run: __PM_EXEC__ tailor-sdk generate\n      - id: tailor-generate-check\n        run: |\n          git add -A\n          if ! git diff --cached --quiet; then\n            git --no-pager diff --cached --stat\n            echo \"::error::Generated files are out of date. Run 'tailor-sdk generate' locally and commit the result.\"\n            exit 1\n          fi\n      - id: tailor-mask-credentials\n        if: vars.TAILOR_PLATFORM_WORKSPACE_ID != ''\n        run: |\n          echo \"::add-mask::$CLIENT_ID\"\n          echo \"::add-mask::$CLIENT_SECRET\"\n        env:\n          CLIENT_ID: ${{ secrets.TAILOR_PLATFORM_MACHINE_USER_CLIENT_ID }}\n          CLIENT_SECRET: ${{ secrets.TAILOR_PLATFORM_MACHINE_USER_CLIENT_SECRET }}\n      - id: tailor-login\n        if: vars.TAILOR_PLATFORM_WORKSPACE_ID != ''\n        # __WORKING_DIRECTORY__\n        run: __PM_EXEC__ tailor-sdk login --machine-user\n        env:\n          TAILOR_PLATFORM_MACHINE_USER_CLIENT_ID: ${{ secrets.TAILOR_PLATFORM_MACHINE_USER_CLIENT_ID }}\n          TAILOR_PLATFORM_MACHINE_USER_CLIENT_SECRET: ${{ secrets.TAILOR_PLATFORM_MACHINE_USER_CLIENT_SECRET }}\n      - id: tailor-plan\n        if: vars.TAILOR_PLATFORM_WORKSPACE_ID != ''\n        # __WORKING_DIRECTORY__\n        run: |\n          if [ -z \"$TAILOR_PLATFORM_WORKSPACE_ID\" ]; then\n            echo \"exit-code=\" >> \"$GITHUB_OUTPUT\"\n            exit 0\n          fi\n\n          set +e\n          OUTPUT=$(__PM_EXEC__ tailor-sdk deploy --dry-run --yes 2>&1)\n          EXIT_CODE=$?\n          set -e\n\n          MAX_OUTPUT=60000\n          if [ \"${#OUTPUT}\" -gt \"$MAX_OUTPUT\" ]; then\n            LOG_STOP_TOKEN=$(dd if=/dev/urandom bs=15 count=1 status=none | base64)\n            echo \"::group::Full Tailor Platform plan output\"\n            echo \"::stop-commands::$LOG_STOP_TOKEN\"\n            printf '%s\\n' \"$OUTPUT\"\n            echo \"::$LOG_STOP_TOKEN::\"\n            echo \"::endgroup::\"\n            OUTPUT_TAIL=\"${OUTPUT: -$MAX_OUTPUT}\"\n            OUTPUT=$(printf '%s\\n\\n%s' \"[output truncated to the last $MAX_OUTPUT characters - see the workflow logs for the full plan]\" \"$OUTPUT_TAIL\")\n          fi\n\n          EOF=$(dd if=/dev/urandom bs=15 count=1 status=none | base64)\n          {\n            echo \"exit-code=$EXIT_CODE\"\n            echo \"output<<$EOF\"\n            echo \"$OUTPUT\"\n            echo \"$EOF\"\n          } >> \"$GITHUB_OUTPUT\"\n        env:\n          TAILOR_PLATFORM_WORKSPACE_ID: ${{ vars.TAILOR_PLATFORM_WORKSPACE_ID }}\n      - id: tailor-plan-summary\n        run: |\n          if [ -n \"$LABEL\" ]; then\n            KEY=\"$LABEL\"\n          elif [ -n \"$WORKSPACE_ID\" ]; then\n            KEY=\"$WORKSPACE_ID\"\n          else\n            KEY=\"workspace\"\n          fi\n\n          if [ -z \"$WORKSPACE_ID\" ]; then\n            {\n              echo \"## Tailor Platform Plan ($KEY)\"\n              echo \"\"\n              echo \"Workspace is not provisioned yet. Set TAILOR_PLATFORM_WORKSPACE_ID after provisioning the workspace.\"\n            } >> \"$GITHUB_STEP_SUMMARY\"\n            exit 0\n          fi\n\n          if [ \"$DRY_RUN_EXIT_CODE\" = \"0\" ]; then\n            STATUS=\"PASS\"\n          else\n            STATUS=\"FAIL\"\n          fi\n\n          {\n            echo \"## $STATUS Tailor Platform Plan ($KEY)\"\n            echo \"\"\n            echo \"<details>\"\n            echo \"<summary>Plan output (exit code: $DRY_RUN_EXIT_CODE)</summary>\"\n            echo \"\"\n            echo '```'\n            echo \"$DRY_RUN_OUTPUT\"\n            echo '```'\n            echo \"\"\n            echo \"</details>\"\n          } >> \"$GITHUB_STEP_SUMMARY\"\n        env:\n          WORKSPACE_ID: ${{ vars.TAILOR_PLATFORM_WORKSPACE_ID }}\n          LABEL: __WORKSPACE_NAME__\n          DRY_RUN_OUTPUT: ${{ steps.tailor-plan.outputs.output }}\n          DRY_RUN_EXIT_CODE: ${{ steps.tailor-plan.outputs.exit-code }}\n      - id: tailor-plan-fail\n        if: vars.TAILOR_PLATFORM_WORKSPACE_ID != ''\n        run: |\n          if [ \"$DRY_RUN_EXIT_CODE\" != \"0\" ]; then\n            echo \"::error::Plan dry-run failed with exit code $DRY_RUN_EXIT_CODE\"\n            exit \"$DRY_RUN_EXIT_CODE\"\n          fi\n        env:\n          DRY_RUN_EXIT_CODE: ${{ steps.tailor-plan.outputs.exit-code }}\n\n  tailor-deploy:\n    needs: tailor-plan\n    if: ${{ !(github.event_name == 'workflow_dispatch' && inputs['dry-run']) }}\n    environment: __ENVIRONMENT__\n    runs-on: ubuntu-latest\n    timeout-minutes: 30\n    permissions:\n      contents: read\n    concurrency:\n      group: tailor-deploy-__WORKSPACE_NAME__\n      cancel-in-progress: false\n    steps:\n      - id: tailor-checkout\n        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3\n      # __SETUP_STEPS__\n      - id: tailor-validate-workspace\n        env:\n          WORKSPACE_ID: ${{ vars.TAILOR_PLATFORM_WORKSPACE_ID }}\n        run: |\n          if [ -z \"$WORKSPACE_ID\" ]; then\n            echo \"::error::Workspace is not provisioned: TAILOR_PLATFORM_WORKSPACE_ID is empty. Provision the workspace and set the variable.\"\n            exit 1\n          fi\n      - id: tailor-mask-credentials\n        run: |\n          echo \"::add-mask::$CLIENT_ID\"\n          echo \"::add-mask::$CLIENT_SECRET\"\n        env:\n          CLIENT_ID: ${{ secrets.TAILOR_PLATFORM_MACHINE_USER_CLIENT_ID }}\n          CLIENT_SECRET: ${{ secrets.TAILOR_PLATFORM_MACHINE_USER_CLIENT_SECRET }}\n      - id: tailor-login\n        # __WORKING_DIRECTORY__\n        run: __PM_EXEC__ tailor-sdk login --machine-user\n        env:\n          TAILOR_PLATFORM_MACHINE_USER_CLIENT_ID: ${{ secrets.TAILOR_PLATFORM_MACHINE_USER_CLIENT_ID }}\n          TAILOR_PLATFORM_MACHINE_USER_CLIENT_SECRET: ${{ secrets.TAILOR_PLATFORM_MACHINE_USER_CLIENT_SECRET }}\n      - id: tailor-generate\n        # __WORKING_DIRECTORY__\n        run: __PM_EXEC__ tailor-sdk generate\n        env:\n          TAILOR_PLATFORM_WORKSPACE_ID: ${{ vars.TAILOR_PLATFORM_WORKSPACE_ID }}\n      - id: tailor-deploy\n        # __WORKING_DIRECTORY__\n        run: __PM_EXEC__ tailor-sdk deploy --yes\n        env:\n          TAILOR_PLATFORM_WORKSPACE_ID: ${{ vars.TAILOR_PLATFORM_WORKSPACE_ID }}\n";
-
-//#endregion
-//#region src/cli/commands/setup/github/templates.ts
-const setupStepIds = {
-	pnpm: [
-		"tailor-setup-pnpm",
-		"tailor-setup-node",
-		"tailor-install"
-	],
-	yarn: ["tailor-setup-node", "tailor-install"],
-	npm: ["tailor-setup-node", "tailor-install"],
-	bun: ["tailor-setup-bun", "tailor-install"]
-};
-const setupSteps = {
-	pnpm: setup_pnpm_default,
-	yarn: setup_yarn_default,
-	npm: setup_npm_default,
-	bun: setup_bun_default
-};
-const execPrefix = {
-	npm: "npx",
-	pnpm: "pnpm exec",
-	yarn: "yarn",
-	bun: "bunx"
-};
-const HEADER = `# Generated by \`tailor-sdk setup github\` — managed by the Tailor SDK.
+//#region src/cli/commands/setup/templates.ts
+const HEADER = `# Generated by \`tailor-sdk setup\` — managed by the Tailor SDK.
 #
 # - Jobs and steps whose id starts with \`tailor-\` are managed by the SDK.
 #   Do not edit or rename them.
 # - State is tracked in .github/tailor-sdk.lock (machine-owned: commit it, never edit it).
-# - Re-running \`tailor-sdk setup github\` regenerates this file. If you have
+# - Re-running \`tailor-sdk setup\` regenerates this file. If you have
 #   edited it by hand, regeneration stops and asks for --force (which discards
 #   your edits), so prefer keeping customizations in your own jobs/steps and
 #   re-running setup after SDK updates.`;
-function indentSnippet(snippet, spaces) {
-	const indent = " ".repeat(spaces);
-	return snippet.trimEnd().split("\n").map((line) => line ? indent + line : line).join("\n");
-}
 /**
 * Detect the package manager used in a project directory by checking for lockfiles.
 * @param dir - Project directory to inspect
@@ -2735,11 +2684,7 @@ function applyCommon(content, params) {
 	const { workingDirectory, environment, packageManager } = params;
 	let out = line(content, "HEADER", HEADER);
 	out = line(out, "WORKING_DIRECTORY", workingDirectory ? `working-directory: ${workingDirectory}` : void 0);
-	out = out.replace(/^ *# __SETUP_STEPS__$/gm, () => indentSnippet(setupSteps[packageManager], 6));
-	return out.replaceAll("__WORKSPACE_NAME__", () => params.workspaceName).replaceAll("__ENVIRONMENT__", () => environment).replaceAll("__PM_EXEC__", () => execPrefix[packageManager]);
-}
-function setupIds(job, packageManager) {
-	return setupStepIds[packageManager].map((id) => `${job}/${id}`);
+	return out.replaceAll("__WORKSPACE_NAME__", () => params.workspaceName).replaceAll("__ENVIRONMENT__", () => environment).replaceAll("__PACKAGE_MANAGER__", () => packageManager);
 }
 /**
 * Render the branch-target deploy workflow.
@@ -2751,7 +2696,7 @@ function setupIds(job, packageManager) {
 * @returns Rendered YAML and the list of managed job/step ids
 */
 function renderBranchWorkflow(params) {
-	const { branch, plan, packageManager } = params;
+	const { branch, plan } = params;
 	let out = branch_workflow_default;
 	out = block(out, "PLAN_JOB", plan);
 	out = block(out, "PULL_REQUEST", plan);
@@ -2760,8 +2705,8 @@ function renderBranchWorkflow(params) {
 	out = line(out, "PATHS", params.workingDirectory ? `paths: ["${params.workingDirectory}/**"]` : void 0);
 	out = applyCommon(out, params).replaceAll("__BRANCH__", () => branch);
 	const generatedIds = [];
-	if (plan) generatedIds.push("tailor-plan", "tailor-plan/tailor-checkout", "tailor-plan/tailor-merge-base", ...setupIds("tailor-plan", packageManager), "tailor-plan/tailor-generate", "tailor-plan/tailor-generate-check", "tailor-plan/tailor-mask-credentials", "tailor-plan/tailor-login", "tailor-plan/tailor-plan", "tailor-plan/tailor-plan-summary", "tailor-plan/tailor-plan-comment", "tailor-plan/tailor-plan-fail");
-	generatedIds.push("tailor-deploy", "tailor-deploy/tailor-checkout", ...setupIds("tailor-deploy", packageManager), "tailor-deploy/tailor-validate-workspace", "tailor-deploy/tailor-mask-credentials", "tailor-deploy/tailor-login", "tailor-deploy/tailor-generate", "tailor-deploy/tailor-deploy");
+	if (plan) generatedIds.push("tailor-plan", "tailor-plan/tailor-checkout", "tailor-plan/tailor-setup", "tailor-plan/tailor-generate-check", "tailor-plan/tailor-plan");
+	generatedIds.push("tailor-deploy", "tailor-deploy/tailor-checkout", "tailor-deploy/tailor-setup", "tailor-deploy/tailor-apply");
 	return {
 		content: out,
 		generatedIds
@@ -2776,7 +2721,7 @@ function renderBranchWorkflow(params) {
 * @returns Rendered YAML and the list of managed job/step ids
 */
 function renderTagWorkflow(params) {
-	const { tagPattern, branch, packageManager } = params;
+	const { tagPattern, branch } = params;
 	const hasGuard = branch !== void 0;
 	let out = tag_workflow_default;
 	out = block(out, "TAG_GUARD_JOB", hasGuard);
@@ -2786,7 +2731,7 @@ function renderTagWorkflow(params) {
 	if (hasGuard) out = out.replaceAll("__BRANCH__", () => branch);
 	const generatedIds = [];
 	if (hasGuard) generatedIds.push("tailor-tag-guard", "tailor-tag-guard/tailor-checkout", "tailor-tag-guard/tailor-tag-guard");
-	generatedIds.push("tailor-plan", "tailor-plan/tailor-checkout", ...setupIds("tailor-plan", packageManager), "tailor-plan/tailor-generate", "tailor-plan/tailor-generate-check", "tailor-plan/tailor-mask-credentials", "tailor-plan/tailor-login", "tailor-plan/tailor-plan", "tailor-plan/tailor-plan-summary", "tailor-plan/tailor-plan-fail", "tailor-deploy", "tailor-deploy/tailor-checkout", ...setupIds("tailor-deploy", packageManager), "tailor-deploy/tailor-validate-workspace", "tailor-deploy/tailor-mask-credentials", "tailor-deploy/tailor-login", "tailor-deploy/tailor-generate", "tailor-deploy/tailor-deploy");
+	generatedIds.push("tailor-plan", "tailor-plan/tailor-checkout", "tailor-plan/tailor-setup", "tailor-plan/tailor-generate-check", "tailor-plan/tailor-plan", "tailor-deploy", "tailor-deploy/tailor-checkout", "tailor-deploy/tailor-setup", "tailor-deploy/tailor-apply");
 	return {
 		content: out,
 		generatedIds
@@ -2794,7 +2739,110 @@ function renderTagWorkflow(params) {
 }
 
 //#endregion
-//#region src/cli/commands/setup/github/github.ts
+//#region src/cli/commands/setup/check.ts
+/**
+* Compute drift findings for one target by comparing its recorded lock state
+* against the current repository/config state.
+* @param target - The lock target being audited
+* @param state - Current repository/config state for this target
+* @returns Drift findings (empty when the target is in sync)
+*/
+function findTargetDrift(target, state) {
+	const id = `${target.kind} ${target.workspaceName}`;
+	const findings = [];
+	if (!state.fileExists) findings.push({
+		target: id,
+		rule: "missing-file",
+		message: `${target.file} is missing or unreadable. Re-run setup to restore it.`
+	});
+	else if (state.currentHash !== null && state.currentHash !== target.contentHash) findings.push({
+		target: id,
+		rule: "hand-edit",
+		message: `${target.file} was edited by hand since it was generated. Re-run setup with --force to regenerate, or keep customizations in your own jobs/steps.`
+	});
+	if (target.templateVersion < state.templateVersion) findings.push({
+		target: id,
+		rule: "template-version",
+		message: `A newer workflow template is available (generated with v${String(target.templateVersion)}, current v${String(state.templateVersion)}). Re-run setup to update.`
+	});
+	if (!state.configExists) findings.push({
+		target: id,
+		rule: "config-dir",
+		message: `tailor.config.ts not found under "${target.inputs.dir}". The app directory may have moved; re-run setup with the correct --dir.`
+	});
+	if (target.kind === "branch" && target.inputs.branchAutoDetected !== false && state.defaultBranch !== null && target.inputs.branch !== null && target.inputs.branch !== state.defaultBranch) findings.push({
+		target: id,
+		rule: "default-branch",
+		message: `The workflow triggers on "${target.inputs.branch}" but the repository default branch is now "${state.defaultBranch}". If this is intentional, ignore this; otherwise re-run setup so the trigger matches the default branch.`
+	});
+	return findings;
+}
+function detectDefaultBranchSafe(cwd, run) {
+	try {
+		return detectDefaultBranch(cwd, run);
+	} catch {
+		return null;
+	}
+}
+function escapesRoot$1(rel) {
+	return path.isAbsolute(rel) || rel === ".." || rel.startsWith(`..${path.sep}`) || rel.startsWith("../");
+}
+function resolveWithinRoot(outputDir, relPath) {
+	if (path.isAbsolute(relPath)) return null;
+	const abs = path.join(outputDir, relPath);
+	if (escapesRoot$1(path.relative(outputDir, abs))) return null;
+	try {
+		if (escapesRoot$1(path.relative(fs$1.realpathSync(outputDir), fs$1.realpathSync(abs)))) return null;
+	} catch {}
+	return abs;
+}
+function readHash(absFile) {
+	try {
+		return hashContent(fs$1.readFileSync(absFile, "utf-8"));
+	} catch {
+		return null;
+	}
+}
+/**
+* Audit the generated workflows for drift against the current config/repo
+* state. Read-only: never writes files, the lock, or the config.
+*
+* Throws when drift is found (so it composes like the other `:check`
+* commands). The workflow drift-check step layers advisory behaviour on top
+* (per-rule ignore / continue-on-error); the CLI itself reports via exit code.
+* @param options - Check options
+*/
+function checkGitHub(options) {
+	logBetaWarning("setup");
+	const { outputDir } = options;
+	const lock = readLock(outputDir);
+	if (!lock || lock.targets.length === 0) throw new Error("No managed workflows found (.github/tailor-sdk.lock is missing or empty). Run `tailor-sdk setup` first.");
+	const exists = options.configExistsAt ?? ((p) => fs$1.existsSync(p));
+	const defaultBranch = detectDefaultBranchSafe(outputDir, options.gitRunner);
+	const findings = [];
+	for (const target of lock.targets) {
+		const absFile = resolveWithinRoot(outputDir, target.file);
+		const currentHash = absFile === null ? null : readHash(absFile);
+		const configAbs = resolveWithinRoot(outputDir, path.join(target.inputs.dir, "tailor.config.ts"));
+		findings.push(...findTargetDrift(target, {
+			fileExists: currentHash !== null,
+			currentHash,
+			configExists: configAbs !== null && exists(configAbs),
+			defaultBranch,
+			templateVersion: 2
+		}));
+	}
+	const count = lock.targets.length;
+	if (findings.length === 0) {
+		logger.success(`No drift detected across ${String(count)} target(s).`);
+		return;
+	}
+	for (const finding of findings) logger.warn(`[${finding.target}] ${finding.message} (ignore key: ${finding.rule})`);
+	throw new Error(`Detected ${String(findings.length)} drift finding(s) across ${String(count)} target(s). Re-run \`tailor-sdk setup\` to regenerate, or address each finding above.`);
+}
+
+//#endregion
+//#region src/cli/commands/setup/generate.ts
 async function defaultLoadConfigName(configPath) {
 	const { config } = await loadConfig(configPath);
 	return config.name;
@@ -2866,8 +2914,10 @@ async function resolve$1(options) {
 	validateEnvironment(environment);
 	if (kind === "tag") validateTagPattern(options.tagPattern);
 	let branch = null;
+	let branchAutoDetected = false;
 	let render;
 	if (kind === "branch") {
+		branchAutoDetected = options.branch === void 0;
 		branch = options.branch ?? detectDefaultBranch(options.outputDir, options.gitRunner);
 		validateBranch(branch);
 		render = renderBranchWorkflow({
@@ -2893,6 +2943,7 @@ async function resolve$1(options) {
 	const file = `.github/workflows/tailor-${workspaceName}.yml`;
 	const inputs = {
 		branch,
+		branchAutoDetected: kind === "branch" ? branchAutoDetected : void 0,
 		tagPattern: kind === "tag" ? options.tagPattern : null,
 		environment,
 		dir,
@@ -2981,7 +3032,7 @@ function printNextSteps(obj) {
 * @param options - Setup options
 */
 async function setupGitHub(options) {
-	logBetaWarning("setup github");
+	logBetaWarning("setup");
 	const resolved = await resolve$1(options);
 	const lock = readLock(options.outputDir);
 	const absFile = path.join(options.outputDir, resolved.file);
@@ -3033,11 +3084,23 @@ async function setupGitHub(options) {
 }
 
 //#endregion
-//#region src/cli/commands/setup/github/index.ts
-const githubCommand = defineAppCommand({
-	name: "github",
-	description: "Generate a GitHub Actions deploy workflow. (beta)",
+//#region src/cli/commands/setup/index.ts
+const checkCommand = defineAppCommand({
+	name: "check",
+	description: "Audit generated workflows for drift against the current config/repo (read-only).",
+	args: z.object({}).strict(),
+	run: () => {
+		checkGitHub({ outputDir: process.cwd() });
+	}
+});
+const setupCommand = defineAppCommand({
+	name: "setup",
+	description: "Generate a CI deploy workflow for your project. (beta)",
 	args: z.object({
+		provider: arg(z.enum(["github"], { message: "Only the 'github' provider is supported." }).default("github"), {
+			alias: "p",
+			description: "CI provider to generate for (only 'github' is supported)"
+		}),
 		"workspace-name": arg(z.string().min(1).optional(), {
 			alias: "n",
 			description: "Workspace name (defaults to the config 'name')"
@@ -3053,6 +3116,7 @@ const githubCommand = defineAppCommand({
 		}),
 		force: arg(z.boolean().default(false), { description: "Discard hand edits / take over unmanaged files and regenerate" })
 	}).strict(),
+	subCommands: { check: checkCommand },
 	run: async (args) => {
 		if (args["tag-pattern"] !== void 0 && !args.tag) throw new Error("--tag-pattern requires --tag.");
 		if (args["no-plan"] && args.tag) throw new Error("--no-plan cannot be combined with --tag.");
@@ -3070,14 +3134,6 @@ const githubCommand = defineAppCommand({
 	}
 });
 
-//#endregion
-//#region src/cli/commands/setup/index.ts
-const setupCommand = defineCommand({
-	name: "setup",
-	description: "Set up project infrastructure.",
-	subCommands: { github: githubCommand }
-});
-
 //#endregion
 //#region src/cli/shared/skills-installer.ts
 const SKILL_NAME = "tailor-sdk";
@@ -4749,7 +4805,7 @@ async function fetchRemoteTypes(client, workspaceId, namespace) {
 async function assertMigrationsReproduceLocalTypes(loaded, target) {
 	const { config, plugins } = loaded;
 	const pluginManager = plugins.length > 0 ? new PluginManager(plugins) : void 0;
-	const { defineApplication, generatePluginFilesIfNeeded } = await import("../application-DB2r36Et.mjs");
+	const { defineApplication, generatePluginFilesIfNeeded } = await import("../application-Dtqap5jM.mjs");
 	const application = defineApplication({
 		config,
 		pluginManager
@@ -4761,7 +4817,7 @@ async function assertMigrationsReproduceLocalTypes(loaded, target) {
 		await service.processNamespacePlugins();
 	}
 	const pluginExecutorFiles = generatePluginFilesIfNeeded(pluginManager, application.tailorDBServices, config.path);
-	const executorService = application.executorService ?? (pluginExecutorFiles.length > 0 ? (await import("../service-D6yonf2I.mjs")).createExecutorService({ config: { files: [] } }) : void 0);
+	const executorService = application.executorService ?? (pluginExecutorFiles.length > 0 ? (await import("../service-DCqIWibD.mjs")).createExecutorService({ config: { files: [] } }) : void 0);
 	await executorService?.loadExecutors();
 	if (pluginExecutorFiles.length > 0) await executorService?.loadPluginExecutorFiles([...pluginExecutorFiles]);
 	const executorUsedTypes = /* @__PURE__ */ new Set();
@@ -5038,7 +5094,7 @@ const upgradeCommand = defineAppCommand({
 	run: async (args) => {
 		const { initTelemetry } = await import("../telemetry-ClwW5ohF.mjs");
 		await initTelemetry();
-		const { upgrade } = await import("../service-DU1mVzri.mjs");
+		const { upgrade } = await import("../service-DU1mVzri2.mjs");
 		await upgrade({
 			from: args.from,
 			dryRun: args["dry-run"],
@@ -5356,6 +5412,7 @@ const workflowCommand = defineCommand({
 		list: listCommand$12,
 		get: getCommand$6,
 		start: startCommand,
+		wait: waitCommand,
 		executions: executionsCommand,
 		resume: resumeCommand
 	},
@@ -5469,7 +5526,7 @@ runMain(mainCommand, {
 				if (isVerbose() && error.stack) logger.debug(`\nStack trace:\n${error.stack}`);
 			} else logger.error(`Unknown error: ${error}`);
 			if (!isCLIError(error) && (!(error instanceof Error) || error instanceof TypeError || error instanceof RangeError)) {
-				const { reportCrash } = await import("../crashreport-pr6Rhvza.mjs");
+				const { reportCrash } = await import("../crashreport-BMWcxeSE.mjs");
 				await reportCrash(error, "handledError");
 			}
 		}